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(57) Abstract 

The invention relates to a method of controlling unauthorised 
copying of data, for example copying of audio data from an original 
Compact Disc (CD), or copying of audio data files which have been 
legally purchased over a network system, for example using the 
Internet. In particular, although not exclusively, the invention relates 
to a method and apparatus for controlling unauthorised copying 
of music onto portable solid state memory audio player devices 
(2), or onto removable solid state memory cards (3) for use with 
such portable player devices. A data copying and playback system 
incorporating copy management is also claimed. 
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COPY MANAGEMENT FOR DATA SYSTEMS 

The present invention relates to a method of controlling 
unauthorised copying of data, for example copying of audio 
5 data from an original Compact Disc (CD) , or copying of audio 
data files which have been legally purchased over a network 
system, for example using the Internet. In particular, 
although not exclusively, the invention relates to a method of 
controlling unauthorised copying of music onto portable solid 
10 state memory audio player devices, or onto removable solid 
state memory cards for use with such portable player devices. 

Some past attempts at controlling copying of audio data have 
relied on a user entering a registration character string or 

15 number to enable a player system (e.g. a personal computer 
(PC) with an audio playback facility) to decode audio data 
which is supplied in encoded or encrypted form to the player 
system. Such systems are not particularly user friendly and 
are compromised if the user gives away the registration string 

20 or number to other parties. 

Portable audio players are known which allow a user to 
playback music which is stored (in digital form) in a solid 
state memory of the player. The solid state memory may, for 

25 example, be FLASH memory incorporated in the player itself,, or 
may be provided as a removable FLASH memory card for insertion 
into the player device. PCs are readily available which can be 
configured to enable a user to copy or * download" audio data 
from the Internet, or from a CD engaged in a CD-ROM drive of 

30 the computer, onto a storage medium such as a hard disk of the 
PC. Equipment is also available which enables a user to copy 
audio data stored in the hard drive of the PC into the solid 
state memory of a portable audio player device. The portable 
player device may then be used by a user to playback music at 

35 a remote location e.g. while out jogging. 

In general, there is nothing to stop a user from using such 
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equipment to make many unauthorised copies of audio data, for 
example repeated copies of a single, legally purchased CD, or 
even many copies of an unauthorised copy of a CD which may be 
available for download from, for example, the Internet- This 
5 gives great concern to musicians and the music industry alike. 

It is an aim of the present invention to avoid or minimise one 
or. more of the foregoing disadvantages. 

10 According to one aspect of the present invention we provide a 
method for controlling the number of data player devices which 
may be used for playback of data which has been copied, using 
a copying system, from a first data storage means accessible 
to the copying system in use thereof, to a second data storage 

15 means associated with the player device (s), the method 
comprising the steps of: 

providing a copy management means to which data copied from 
the first data storage means is delivered; 

providing a registration code for each of a plurality of data 
20 player devices, said registration codes all being different; 
providing a private key for each of said data player devices, 
said private keys all being different; 

storing a predetermined maximum number of said registration 
codes in a memory means of the copy management means; 
25 using an encryption key provided in the copy management means 
to encrypt data delivered to the copy management means from 
the copying system, and using each stored registration code to 
encrypt a decryption key provided in the copy management 
means, so as to provide a plurality of respective encrypted 

30 decryption keys; 

transferring the encrypted data to a second data storage means 
associated with at least one said player device, together with 
the plurality of encrypted decryption keys; 
using the private key provided in said at least one player 

35 device to decrypt the respective encrypted decryption key, and 
using the decrypted decryption key to decrypt the encrypted 
data transferred to said second data storage means; 
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and preventing new registration codes from being stored in the 
memory means of the copy management means until a 
predetermined time period has elapsed. 

5 One advantage of the above method is that it provides a 

registration scheme for player devices which limits the number 
of player devices which can be used at one time to listen to 
music which has been copied from another source, using the 
copying system. If only a limited number of players can be 

10 used to playback music which has been copied, this may tend to 
dissuade users from, for example, producing a multiplicity of 
copies of a single CD, and moreover even if mass copies are 
made, a user cannot playback the music from such a copy 
without using a player which was registered with the copying 

15 system when the copying was carried out. 

The decryption key provided in said at least one player device 
may also be the encryption key used to encrypt the data being 
copied. Alternatively, the decryption key may be a separate 
20 key, different to the encryption key. 

The private key provided in each player device may in fact be 
the registration code for the player device. In general, 
though, the private key will preferably be a separate key, 

25 different to the registration code. The advantage of this is 
that while the registration code may, in some cases, to some 
extent be accessible to a user in that it must be transferred 
from the player device to the second data storage means, the 
private key can be held in a tainper-proof location in the 

30 player device and need never be transmitted outside the player 
device . 

According to another aspect of the invention we provide copy 
management apparatus for controlling the number of data player 
35 devices which may be used for playback of data which has been 
copied, using a copying system, from a first data storage 
means accessible to the copying system in use thereof, to a 
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second data storage means associated with the player 
device (s), the apparatus comprising: 

memory means for storing up to a predetermined maximum number 
of registration codes, each said code being associated with a 

5 respective data player device; 

encryption means for encrypting data delivered thereto, 
including an encryption key for use in carrying out the data 
encryption, and including encryption means for encrypting a 
decryption key, provided in the apparatus, using each said 

10 registration code which is stored in the memory means in-order 
to generate a respective encrypted decryption key for each 
said stored registration code; 

clock means for measuring the passing of a finite 
predetermined period of time within which new registration 

15 codes are prevented from being stored in the memory means; 
monitoring means for monitoring the number of registration 
codes stored in the memory means and starting said clock means 
when said monitoring means detects that the predetermined 
maximum number of codes have been stored; 

20 protection means for setting the memory means in a protected 
mode, in which new registration codes are prevented from being 
entered in the memory, while said clock means measures the 
passing of said finite period of time; 

registration handler means for receiving at least one 
25 registration code uploaded, directly or indirectly, from at 
least one said data player device, comparing said at least one 
uploaded registration code with the registration codes already 
stored in the memory means, storing said at least one uploaded 
registration code in the memory means if the memory means does 
30 not already contain said at least one uploaded registration 
code and the memory means does not already contain said 
predetermined maximum number of registration codes, and 
preventing said uploaded registration code from being stored 
in the memory means if the memory means is set in said 
35 protected mode; and 

data transfer means for transferring the encrypted data, 
together with each said encrypted decryption key, to a second 
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data storage means associated with at least one said player 
device . 

The encrypted copied data can subsequently be accessed by a 
5 data player device associated with said second data storage 
means. A said data player device whose registration code is 
stored in the memory of the said copy management apparatus 
will be provided with identifier means for identifying the 
respective encrypted decryption key for the said data player 

10 device, and with decryption means for decrypting the encrypted 
decryption key and subsequently using said decrypted 
decryption key to decrypt the encrypted data, stored in the 
second data storage means . The decryption means provided in 
the player device preferably includes a private key stored in 

15 the player device, for use in decrypting the encrypted 
decryption key. 

The afore-described data player devices may, for example, be 
for playback of audio data i.e. music. Alternatively, or 
20 additionally, the player devices could, for example, be 
portable "electronic book" devices for playback of written 
data . 

Preferably, said second data storage means associated with the 
25 player device (s) comprises a removable memory card which is 
formed and arranged for removable engagement with a 
complementary interface provided in data player device (s) . It 
will be appreciated that the removable memory card need not be 
connected to a said player device when encrypted data is being 
30 transferred thereto, and that the card will generally be 
capable of interfacing with any of a number of data player 
devices, for example a set of player devices owned by one 
user, such as a portable audio player device, a home stereo 
system, and a car audio system. The user will also own a 
35 copying system in the form of, for example, a PC system and 
additional necessary equipment, for copying data (e.g. audio 
data) from a CD or DVD onto the removable memory card, or a 



BNSDOCID: <WO 0031744A1_L> 



WO 00/31744 PCT/GB99/03877 

6 

specially adapted dedicated audio dubbing station designed to 
copy audio data from one or more CDs or DVDs onto the 
removable memory card (as described in our concurrent British 
patent application) . The memory card is therefore also formed 

5 and arranged for interfacing with such a copying system. The 
copying system may, alternatively, be in the form of a set-top 
box system designed for copying data purchased from a network 
supplier (e.g. cable supplier) onto the removable memory card. 
In the latter case it will be appreciated that the "first data 

10 storage means" will generally comprise a memory of the set- top 
box in which data purchased from the network supplier is 
downloaded from the network. 

Alternatively, the second data storage means associated with 
15 the player device (s) may comprise solid state memory 

permanently incorporated in each said data player device and 
each player device is adapted for interfacing directly with 
the copy management apparatus to receive the encrypted data 
transferred therefrom. 

20 

The monitoring means preferably comprises counter means for 
counting the number of registration codes which are written to 
the memory means. The registration handler means is preferably 
formed and arranged to check the status of the counter means, 

25 upon receiving an uploaded registration code, and to allow or 
prevent the uploaded registration code from being written in 
the memory means according to whether the counter means 
indicates that the memory means already contains said 
predetermined maximum number of stored registration codes or 

30 not, respectively. 

The encryption (and/or decryption key, where this is not the 
same as the encryption key) may be selected from a 
predetermined list of encryption and/or decryption keys stored 
35 in a memory means of the copy management apparatus. 

Alternatively, the encryption means may include encryption key 
and/ or decryption key generating means for generating at least 
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one encryption key and/or decryption key. 

The above-described copy management apparatus for controlling 
the number of data player devices which may be used may be 
5 implemented in an Application Specific Integrated Circuit 
(ASIC) . The ASIC may be incorporated in the copying system 
itself or may alternatively be provided as external hardware 
for connection between the copying system and the removable 
memory card or data player device. 

10 

Preferably, the encryption means, including the encryption key 
(and decryption key, where this is not the same) are held in 
an internal non-volatile memory means provided in the ASIC, 
which location is inaccessible to a user. The clock means, the 
15 monitoring means, the protection means and the memory means 
for storing said registration codes are also all preferably 
inaccessible to a user. In this manner the copy management 
apparatus may be made substantially tamper-proof. 

20 In another possibility, the above-described copy management 
apparatus for controlling the number of data player devices 
may be implemented by processor means controlled by software 
or firmware code held in a memory means of the copying system. 

25 According to another aspect of the invention we provide a data 
copying and playback system incorporating copy management, the 
system comprising: 

copying means for copying digital data from a first data 
storage means accessible to the copying means in use thereof 
30 to at least one second data storage means provided as part of 
the copying and playback system; 

at least one data player device for playing back data (for 
example, text or music) stored on an associated said second 
data storage means, each said player device having a 
35 respective registration code and a respective private key 

stored in a first memory means provided in the player device; 
second memory means associated with the copying means for 
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storing up to a predetermined maximum number of said 
registration codes, each code being associated with a 
respective said player device; 

encryption means for encrypting data copied from the first 
5 data storage means, including an encryption key for use in 
carrying out the data encryption, and including encryption 
means for encrypting a decryption key provided in the copying 
means using each said registration code which is stored in the 
second memory means, in order to generate a respective 
10 encrypted decryption key for each said stored registration 
code; 

clock means for measuring the passing of a finite 
predetermined period of time within which new registration 
codes are prevented from being written to the second memory 
15 means ; 

monitoring means for monitoring the number of registration 
codes stored in the second memory means and starting said 
clock means when said monitoring means detects that the 
predetermined maximum number of codes have been stored; 
20 protection means for setting the second memory means in a 

protected mode, in which new registration codes are prevented 
from being stored therein, while said clock means measures the 
passing of said finite period of time; 

registration handler means for receiving at least one said 
25 registration code uploaded, directly or indirectly, from at 
least one said data player device, comparing said at least one 
uploaded registration code with the registration codes already 
stored in the second memory means, storing said at least one 
uploaded registration code in the second memory means if the 
30 second memory means does not already contain said at least one 
uploaded registration code and the memory means does not 
already contain said predetermined maximum number of 
registration codes, and preventing said uploaded registration 
code from being stored in the second memory means if the 
35 second memory means is set in said protected mode; and 

data transfer means for transferring the encrypted data to at 
least one said second data storage means, together with each 
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said encrypted decryption key; 

decryption means provided in each said player device for 
decrypting the encrypted data transferred to said second data 
storage means, and including decryption means for decrypting 
5 the encrypted decryption key using the respective private key 
for the said player device; 

digital to analogue converter means for converting the 
decrypted digital data into an analogue data signal for. a user 
to playback; and 

10 playback means for playing the decrypted analogue data signal 
to a user, for example via speakers or headphones (where the 
analogue data signal is music) , or via a visual display screen 
(where the analogue data signal is text) . 

15 The second data storage means preferably comprises a removable 
solid state memory card formed and arranged for interfacing 
with the player device and with the copying means. In use, the 
registration code stored in the first memory means, in the 
player device, may be uploaded therefrom to the memory card 

20 which may then be interfaced with the copying means for 

uploading the registration code into the second memory means 
associated therewith. 

Alternatively, the second data storage means comprises solid 
25 state memory means incorporated in the player device, and the 
player device is formed and arranged for interfacing to the 
copying system to enable the registration code stored in the 
first memory means in the player device to be uploaded 
therefrom to the registration handler means which may, for 
30 example, be provided in an interface means of the copying 

means. In this case, the first memory means may be provided in 
the second data storage means in the player device or may be 
provided as a separate memory in the player device. 

35 The decryption means and the D/A converter means are 

preferably provided in an ASIC incorporated in the player 
device. In this way, no data will appear outside the ASIC in 
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an unencrypted form, except in an analogue data signal (e.g.. 
music) for user playback. 

Preferred embodiments of the invention will now be described 
5 by way of example only and with reference to the accompanying 
drawings in which: 

Fig.l is a schematic illustration of the main components of an 

audio copying and playback system, incorporating a copy 

management scheme according to the invention; 
10 Fig -2 illustrates four basic steps involved in a copy 

management scheme based on the use of removable memory cards; 

Fig. 3 illustrates two basic steps in a modified copy 

management scheme involving only a copying station or unit and 

portable player device(s); 
15 Fig. 4 is a detailed block diagram illustrating data transfer 

operations between a removable memory card and a portable 

audio player device; 

Fig. 5 is a detailed block diagram illustrating data transfer 
operations between the removable memory card of Fig . 2 and an 

20 audio dubbing station; 

Fig. 6 is a flow diagram illustrating the main operational 
steps carried out to uploading a registration code from the 
player device to the removable memory card of Fig . 4 ; 
Fig. 7 is a flow diagram illustrating the main operational 

25 steps carried out to transfer data from the audio dubbing 
station to the removable memory card of Fig. 5; and 
Fig. 8 is a flow diagram illustrating the main operational 
steps carried out to transfer and playback data from the 
removable card using the player device of Fig. 4. 

30 

Fig.l shows a copying system in the form of a unit 1 which may 
be used to copy audio data onto solid state memory from which 
the audio data can be played back to a user, remotely from the 
copying unit 1, using a player device 2. The copying unit 1 
35 may, for example, be a dubbing station specially designed for 
receiving one or more Compact Discs (CDs) and copying audio 
data therefrom onto solid state memory. Such a dubbing station 
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is described in our British Patent Application No. 9825338.8 
filed 19 November 1998, entitled "Audio Dubbing System". 
Alternatively, the copying system may comprise a PC with a CD- 
ROM drive or network access to, for example, the Internet, or 

5 a set -top box unit via which a user may purchase and download 
audio data (e.g. from a cable supplier) . The player device 2 
may be a portable audio player designed to interface to a 
removable solid state memory card 3 having FLASH or DRAM 
memory 5, which card 3 can be engaged in the copying unit 1 

10 and having an interface 4 for enabling digital audio data 
copied (e.g. from a CD) by the copying unit to be downloaded 
onto the card 3. Alternatively, the FLASH or . DRAM memory 5 may 
be incorporated in the player device 2 itself which is 
provided with an interface 4 for interfacing to the copying 

15 unit 1. The copying unit 1 includes encryption means 7 for 
encrypting digital data to be copied onto the FLASH/DRAM 5 . 
The encryption means comprises encryption software, using 
known encryption algorithms, programmed into a memory of a 
processor means provided in the copying unit. Suitable 

20 encryption algorithms are described in the following 

references, although these shall not be taken to be exclusive 
(other encryption algorithms may also be suitable) : (1) A S 
Tanenbaum, "Computer Networks", 1989, Prentice-Hall Inc , USA, 
Second Edition (2) R L Rives t, A Shamir and L M Adleman, "A 

25 method for obtaining digital signatures and public-key 

cryptosystems", Communications of the ACM, 21(2): 120-126, 
Februray 1978 (3) [RY97], M Robshaw and Y Yin, "Elliptic curve 
cryptosystems", RSA Laboratories Technical Note, Revised June 
27, 1997. 

30 

The player device 2 includes a decoder 6 in the form of 
decryption software, or dedicated decryption hardware, for 
decrypting the encrypted data downloaded to the FLASH/DRAM, as 
well as an interface 8 for interfacing the decoder 6 with the 
35 FLASH/DRAM 5. The player device 2 also includes a D/A 
converter 9 for converting decrypted digital data into 
analogue audio, which a user may listen to via headphones 10. 
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Fig. 2 illustrates four steps carried out during operation of 
the apparatus of Fig.l, where a removable memory card 3 is 
used. In Step 1, a user registers one or more different player 

5 devices 2 (e.g. a portable player, car player unit and a home 
stereo unit incorporating solid state memory) with the memory 
card 3, by uploading a respective registration code 20 stored 
in each player device 2 (stored in substantially tamper-proof 
memory in the player devices 2), into the memory card 3. In 

10 Step 2, the registration code(s) are uploaded from the card 3 
into a memory of the copying unit 1 (e.g. dubbing station or 
vending unit/set-top box) . Each registration code is only 
uploaded if; (1) the memory does not already contain said 
registration code; (2) the memory does not already contain a 

15 predetermined maximum number of stored registration codes of 
player devices; and (3) the memory is not set in a protected 
state in which new registration codes are prevented from being 
written to the memory. 

20 In Step 3, encrypted audio data is transferred from the 

copying unit 1 to the memory card 3, together with one or more 
encrypted versions of a decryption key, which in this 
embodiment is the same key as the encryption key which was 
used to encrypt the audio data. (This key shall hereinafter 
25 thus be referred to a the encrypt /decrypt key. ) The 

encrypt /decrypt key is encrypted once using each registration 
code stored in the memory of the copying unit 1, so as to 
produce one or more different encrypted versions of the 
encrypt /decrypt key. In Step 4, the card 3 is interfaced with 
30 the player device 2 (via a dedicated interface 90 of the 
player) which extracts the encrypted data from the card 3, 
including a relevant one of the encrypted versions of the 
encrypt /decrypt key, and decodes the encrypted data using the 
encrypt /decrypt key which the player device decodes first, 
35 using a private key, held in the player for this purpose. The 
decoded audio data is converted to analogue form in the player 
device for playback to a user. 
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Figs, 4 and 5 illustrate in more detail the key components of a 
hardware embodiment of the copy management scheme, and the 
data transfer operations carried out therebetween* Figs, 4 and 
5 5 show an audio system incorporating a "base unit" 1 which 
delivers data from a data source 22 to a removable FLASH card 
3 . The data source 22 may a copying unit as afore-described 
for copying data from, for example, a CD or DVD, or may be a 
memory (such as a hard disk) to which data has already been 

10 copied (e.g. from a CD using a copying unit, or downloaded 
from the Internet) . Integrated circuitry containing various 
components, which will be described in further detail below, 
is contained in the base unit 1 (preferably in an Application 
Specific Integrated Circuit (ASIC) , for implementing the copy 

15 management scheme. A removable FLASH card 3 (of any convenient 
known type) is provided for interfacing with the base unit 1, 
via a memory card interface 2 5 for receiving data therefrom, 
and for interfacing with one or more player devices 2 (only 
one shown in Fig. 4). The ASIC in the base unit 1 incorporates 

20 an encryption module 26, a registration handler module 27, a 
non-volatile memory 28 for storing registration codes, a 
random encrypt /decrypt key generator module 29, an internal 
clock 30, and a counter unit 31 (incorporating the clock 30) 
in which a counter value 32 is stored in volatile memory 33 

25 therein. The non-volatile memory 28 contains memory locations 
for holding a write flag 34 (for indicating that the non- 
volatile memory 28 is in write-protected mode) . The non- 
volatile memory 28 also contains a write counter (not shown) 
which generates a write count 35, as will be described 

30 herebelow. The base unit 1 also has an interface 24 for 
interfacing with the removable memory card 3 . • 

The player device 2 also contains an ASIC containing a decoder 
module 36, a D/A converter 38, and a non-volatile memory 3 9 
35 holding a registration code or "key*. 37 for the player device, 
as well as a private key 42 for the player device. The player 
has an output 40 for connection to an. audio output means e.g. 
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headphones (not shown) . The card 3 incorporates memory 60 
containing a dedicated set of memory locations 45 for holding 
up to a predetermined maximum number of registration codes 20, 
the remainder of the memory locations in the card 3 being 
5 available for storing: encrypted data 50,51 downloaded from 
the base unit 1; up to a predetermined maximum number of sets 
(in Fig. 4, up to at least three sets 52,53,54 ) of encrypted 
decryption key(s) 52,53 downloaded from the base unit (there 
being enough storage space available for up to a predetermined 
10 maximum number of such encrypted decryption keys in each set) , 
each encrypted decryption key being stored on the card, 
together with the respective player registration key 37 
corresponding thereto; and for storing Table of Contents (TOO 
information 55 (optional) . The card 3 may also incorporate a 
15 controller 62 for controlling the interfacing of the card 3 
with the interfaces 25, provided in the player device (s) 2 
and the base unit 1. 

The remaining components of the base unit 1 and the player 
20 device (s) 2 will be described with reference to the operation 
of the whole system as follows. Figs. 7, 8 and 9 also 
illustrate, in flow diagram form, the sequence of described 
operational steps . 
(A) Player registration (to Card) 
25 As illustrated in Fig. 7, the first step in the process, once 
the card 3 has been connected/ interfaced to a player 2, is to 
retrieve the list of player registration keys (if any) already 
stored on the card 3. If any of these stored registration keys 
match the registration key of the player which a user is 
30 attempting to register on the card 3, the registration process 
is ended, with no registration key being uploaded from the 
player to the card (since that player's key registration key 
is already stored on the card 3) . If none of the already 
stored registration keys match, a checking operation is 
35 carried out ( by a registration handler module 7 0 provided in 
the player 2 , via the card controller 62, if any) to see if 
there is memory space available in the specified memory 45 of 
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the card 3 to store the new registration key 37. If there is 
space, the new registration key is uploaded (i.e. copied to) 
the card 3, by the registration handler 70, from the non- 
volatile memory in the player. If there is not enough space 
5 available, the user is notified, via a user interface provided 
in the player 2, that there is not enough space. (The user may 
be given the option to delete, or overwrite, an existing 
registration key stored on the card 3, in order to allow the 
new registration key to be uploaded. ) 
10 (B) Transfer of Data from Base Unit to Card 

Fig. 8 illustrates in flow diagram form the following described 
steps, which are carried out by the registration handler 27 in 
the base unit 1: 

Check that card 3 is connected/interfaced to base unit 1 
15 (card interface 24 thereof.) If not connected, request 

user (via user interface on base unit 1) to connect card 
3. If card 3 is connected, compare registration key(s) 20 
stored in card 3 with those already stored (if any) in 
the non-volatile memory 28 of the base unit. If there are 
20 no matches, check to see if the write flag 34 is enabled 

(set to 1). If it is, this indicates that a new 
registration key can be written, so registration handler 
27 uploads (i.e. copies) a new registration key from the 
list stored on the card 3, in the non-volatile memory 28 
25 of the base unit 1 (by adding it to the next empty 

registration key store 21 provided in the memory 28, or 
otherwise overwriting stored keys in circular fashion) , 
and adds one to the write count 3 5 stored in the same 
memory 28 of the base unit 1. The registration handler 27 
30 checks to see if the maximum allowed write count has now 

been reached (by comparing the write count with a 
predetermined maximum value also stored in the non- 
volatile memory 28) and if it has, the counter 3 3 in the 
counter unit 31 is reset (so as to start counting up to a 
35 predetermined count value) and the write flag is disabled 

. (by resetting the bit to zero) . If the maximum write 
count has not been reached, the next new registration 
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code will be uploaded from the card 3 in the same way as 
the previous one, and this process will continue until 
the maximum write count is reached (or there are no more 
new registration keys to be uploaded) . 

5 

The clock 30, internal to the counter unit 31, is a free 
running oscillator linked to the counter 33 which, once 
started, is set to count up to a predetermined threshold 
value. While the counter 33 is counting up to this threshold 

10 count value the write flag remains disabled (i.e. binary bit 
is set to zero) in memory 28 so that the memory 2 8 is set in 
PROTECTED mode whereby no new registration keys can be written 
thereto . The count value thus determines the predetermined 
period of time (e.g. 24 hours) which must pass before the 

15 write flag is reset. Once this set time period has elapsed the 
clock counter 33 is reset and the write flag 34 enabled (i.e. 
binary bit switched to one) to indicate that the non-volatile 
memory 2 8 is now in ENABLED state in which new registration 
codes may be written thereto. 

20 

The counter unit 33 is implemented in an SRAM which is powered 
by a battery. If the battery is taken out, the count value 32 
(stored in volatile memory) is reset (i.e. all bits of count 
are reset back to zero). So, while battery power is available, 

25 the counter counts up until it reaches a predetermined 

threshold value. A counter test module 72 is incorporated in 
the counter unit 31 which constantly compares the count value 
with a threshold count value stored therein and which, when 
this threshold value is reached, switches a binary digit (i.e. 

30 the write flag 34) stored in the non-volatile memory 28 of the 
base unit 1 to one, indicating that new player (s) 2 can again 
be registered. Because the count value 32 is stored in 
volatile memory, if the battery is removed before the counter 
reaches the predetermined threshold count, then the counter 

35 resets to zero and counts back up from zero again when the 
battery power is applied again. 
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While the write flag is disabled, the memory 28 is in 
PROTECTED status. In this protected status, the registration 
handler 27 will disallow any more registration codes to be 
written to the non-volatile memory 28 of the base unit. If the 
5 write flag 34 is enabled, the memory 28 is in ENABLED state 
and registration keys are allowed to be uploaded thereto. 

Once all new registration codes which are allowed to be 
uploaded into the base unit 1 have been uploaded, the next 
10 step is the transfer, to the memory card 3, of data delivered 
from the data source 22. This is achieved by the following 
process : 

a) Data is delivered from the data source 22 to the 
encryption module 2 6 via a data source interface 74 in the 

15 base unit 1; 

b) Separate Encryption and Decryption keys are 
generated in the base unit 1 by a random encrypt and 
decrypt session key pair generator 2 9 (in two alternative 
possible embodiments, the Encryption and Decryption keys 

20 are selected from a preset internal list stored in the 

ASIC of the base unit 1, or a single encrypt /decrypt key 
is generated and used for both encryption and 
decryption) . An additional encryptor 7 8 in the base unit 
1 uses the player registration keys stored in location 21 

25 of the non-volatile memory 28 to encrypt the randomly 

generated decryption key, which results in several 
different respective encrypted decryption keys 54. The 
generated encryption key is used to encrypt all the data 
delivered to the encryption module 2 6 from the data 

30 source 22 in one "session" (where one session is one data 

download operation e.g. downloading the contents of one 
CD) . The encrypted data 56, and encrypted keys, are 
passed through a data formatter 80 in the base unit which 
formats the data into a suitable form for transferring to 

35 the memory card 3. The formatter 8 0 attaches these 

encrypted decryption keys to the encrypted data 50,21, 
for example in the form of a header, together with the 
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respective player registration key 37 for each encrypted 
decryption key, before transferring this information, as 
a data file F3 (for this one session), via the interface 
24, to the card 3 connected thereto (via the controller 
5 62 thereof, if any) as illustrated schematically in 

Figs . 4 and 5 . 

In Figs. 4 and 5 the card 3 already carries two other 
data files Fl, F2 containing encrypted data and encrypted 
10 decryption keys transferred to the card 3 in two previous 

"sessions". A different encryption key and decryption 
key pair is randomly generated for each session by the 
random session-key-pair generator 29. 



15 (C) Playback Operation (Card to Player data transfer) 

Fig. 8 illustrates the series of steps carried out in 
order to playback data stored on the card 3, using the 
player device 2 . With the card 3 connected to the card 
interface 90, a key look-up module 92 in the player 2 

20 looks up the registration keys 37 stored in the or each 

data file Fl,F2,F3 stored on the card 3, and compares 
these with the player's own registration key 37. If there 
is no match, the user is informed, via a user interface 
in the player, that access to the data on the card is 

25 restricted (i.e. forbidden) to this player device 2. 'If a 

match is found, the corresponding encrypted decryption, 
key 54 is downloaded from the card and is decrypted (by a 
decryption module 94 in the player device) using the 
private key 42 stored in the player device 2 for this 

30 purpose. The encrypted data 5 6 (from the same data file 

F3 as the encrypted decryption key) is downloaded from 
the card 3 and decrypted (by the data decryption module 
36) using the decrypted decryption key. 

35 The decrypted audio data is converted to an analogue 

waveform by the D/A converter 3 8 in the player 2, and sent 
to the output 40 of the player, via an amplifier 96. 
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It will be appreciated that the player private key 42 is never 
transmitted outside the player device. By using tamper-proof 
non-volatile memory 98 to store the private key .42 in the 
5 player, the whole encryption/decryption system is made very 
secure. The registration key of the player is preferably also 
stored in the tamper-proof memory 98. 

It will be appreciated that in the above embodiments, the 
10 audio data which is delivered from the base unit 1 to the 
encryption module 26 will generally be compressed audio data. 
The data compression may, for example, have been carried out 
during the copying of the data from a CD or DVD (using a 
copying system or unit) , or the data may have been downloaded, 
15 in compressed form, from the Internet. Alternatively, it 
would though be possible for the data compression and 
encryption to be carried out together in the base unit 1 using 
a single compression/encryption algorithm to carry out both 
compression and encryption simultaneously, in the base unit 1. 
20 It will be appreciated that the decoder provided in the player 
device 2 will therefore also incorporate complementary 
decompression means for decompressing the decrypted audio 
data, or combined decompression/decryption means. 

25 Although only one memory card 3 and one player device 2 are 
shown in the drawings, it will be appreciated that many 
different memory cards 3 could be used, each in the same 
manner as the above-described card 3. Also, the system is 
generally intended for use with two or more player devices 2 

30 e.g. portable player, home stereo unit, car stereo unit etc., 
each having its own different registration code. 

The player (s) 2 and/or the base unit 1 may be provided with 
means to allow a user to delete data (e.g. encrypted audio 
35 data, stored registration keys and encrypted decryption keys) 
from the memory card(s) .3, in order to allow new data to be 
stored (and new. players registered with the card(s) ) . Also, a 
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facility may be provided to enable the user to rearrange the 
order of stored player registration keys. 

Furthermore, the registration keys may include code which 
5 identifies a player as a certain type of player e.g. portable 
player, car player, and the system may be configured so as not 
to allow more than one of any said type of player to be 
registered with the base unit 1 at one time. 

10 In any of the above-described embodiments, the registration 
handler 27 in the base unit 1 may incorporate a user interface 
for enabling a user to input manually (to the registration 
handler 27) the player registration codes, rather than these 
having to be uploaded directly from the player (s) 2 or card(s) 

15 3 . Although this system could thus be implemented without 
having to permanently store the player registration codes in 
the player (s) 2, preferably such a manual input facility would 
be provided as an additional feature of the system rather than 
as a replacement for the above-described system in which 

20 registration keys are stored in the player (s) and are loaded 
onto the card(s) 3, or into the base unit 1, directly from the 
player (s) . 

It will further be appreciated that various modifications to 
25 the above described embodiments are possible without departing 
from the scope of the invention. For example, Fig. 3 
illustrates an alternative audio copying and playback system 
in which, instead of using removable memory card(s) 3, the 
solid state memory onto which the audio data is delivered by 
30 the base unit 1 is incorporated permanently inside each player 
device 2, which in this case are portable audio player 
device (s) . The system operates in exactly the same way as 
above-described with regard to the card/player /base unit 
system, with solid state memory provided in the player device 
35 performing all the functions/operations carried out by the 
memory card 3 in the above-described embodiment. 
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Also, it is possible that the data which is delivered from the 
data source 22 may already be in encrypted form e.g. if the 
data has been downloaded from a network supplier in encrypted 
form. In this case, the base unit 1 is provided with 
5 decryption means for decrypting this data, prior to encrypting 
it again using the encryption key provided in, or generated 
randomly, in the base unit 1. It is envisaged that it would be 
possible for an additional registration key/private key system 
similar to that described above (sometimes referred to as a 

10 "public key/private key" encrypt /decrypt system) to be used to 
control the decryption of such data by the base unit 1. This 
would involve the base unit 1 having its own. registration code 
or key which is stored at the original data source (e.g. at 
the network supplier's end) and is used to decrypt encrypted 

15 data downloaded to the base unit. 

It will also be appreciated that instead of using dedicated 
hardware such as ASICs , in the base unit 1 to carry out the 
above-described copy management operations, the base unit may 

20 incorporate a processor programmed with appropriate software 
and/or firmware, to carry out the necessary operational steps 
described with reference to the flow chart of Fig. 7. 
Similarly, the or each player device 2 could incorporate a 
processor programmed with appropriate firmware (code) to carry 

25 out the registration handling, key look up and decryption 
functions. 
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CLAIMS 



1. A method for controlling the number of data player 
devices (2) which may be used for playback of data which has 

5 been copied, using a copying system (1), from a first data 
storage means (22) accessible to the copying system in use 
thereof, to a second data storage means (3) associated with 
the player device(s), the method comprising the steps of: 
providing a copy management means to which data copied from 

10 the first data storage means is delivered from the copying 
system (1) ; 

providing a registration code (37) for each of a plurality of 
data player devices (2), said registration codes all being 
different; 

15 providing a private key (42) for each of said data player 
devices, said private keys all being different; 
storing a predetermined maximum number of said registration 
codes in a memory means (28) of the copy management means; 
using an encryption key provided in the copy management means 

20 to encrypt data delivered to the copy management means from 
the copying system, and using each stored registration code to 
encrypt a decryption key provided in the copy management 
means, so as to provide a plurality of respective encrypted 
decryption keys; 

25 transferring the encrypted data to a second data storage means 
(3) associated with at least one said player device, together 
with the plurality of encrypted decryption keys; 
using the private key provided in said at least one player 
device to decrypt the respective encrypted decryption key, and 

30 using the decrypted decryption key to decrypt the encrypted 
data transferred to said second data storage means; 
and preventing new registration codes from being stored in the 
memory means (28) of the copy management means until a 
predetermined time period has elapsed. 

35 

2. The method according to claim 1 wherein the decryption 
key provided in said copy management means is also the 
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encryption key used to encrypt the data being copied. 

3 . The method according to claim 1 wherein the decryption 
key stored in the copy management means is different to the 
5 encryption key. 

4. The method according to any preceding claim wherein the 
private key (42) provided in each player device is the 
registration code (37) for the player device. 

10 

5. The method according to any of claims 1 to 3 wherein the 
private key (42) provided in each player device is different 
to the registration code (37) for the player device. 

15 6. Copy management apparatus for controlling the number of 
data player devices (2) which may be used for playback of data 
which has been copied, using a copying system (1), from a 
first data storage means (22) accessible to the copying system 
in use thereof, to a second data storage means (3) associated 

20 with the player device(s), the apparatus comprising: 

memory means (28) for storing up to a predetermined maximum 
number of registration codes (37), each said code being 
associated with a respective data player device (2) ; 
encryption means (26, 78) for encrypting data delivered 

25 thereto, including an encryption key for use in carrying out 
the data encryption, and including encryption means (7 8) for 
encrypting a decryption key, provided in the apparatus, using 
each said registration code which is stored in the memory 
means (28) in order to generate a respective encrypted 

30 decryption key for each said stored registration code; 

clock means (30, 33) for measuring the passing of a finite 
predetermined period of time within which new registration 
codes (37) are prevented from being stored in the memory means 
(28); 

35 monitoring means (27, 35) for monitoring the number of 

registration codes stored in the memory means and starting 
said clock means when said monitoring means detects that the 
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predetermined maximum number of codes have been stored ; 
protection means (34, 72) for setting the memory means in a 
protected mode, in which new registration codes are prevented 
from being entered in the memory, while said clock means (30, 

5 33) measures the passing of said finite period of time; 
registration handler means (27) for receiving at least one 
registration code uploaded, directly or indirectly, from at 
least one said data player device (2), comparing said at least 
one uploaded registration code with the registration codes 

10 already stored in the memory means, storing said at least one 
uploaded registration code in the memory means (28) if the 
memory means does not already contain said at least one 
uploaded registration code and the memory means does not 
already contain said predetermined maximum number of 

15 registration codes, and preventing said uploaded registration 
code from being stored in the memory means if the memory means 
is set in said protected mode; and 

data transfer means (24, 80) for transferring the encrypted 
data, together with each said encrypted decryption key, to a 
20 second data storage means (3) associated with at least one 
said player device. 

7. Copy management apparatus according to claim 6 wherein 
the monitoring means comprises counter means (35) for counting 

25 the number of registration codes (37) which are written to the 
memory means . 

8. Copy management apparatus according to claim 7 wherein 
the registration handler means (27) is formed and arranged to 

30 check the status of the counter means (35), upon receiving an 
uploaded registration code, and to allow or prevent the 
uploaded registration code from being written in the memory 
means (28) according to whether the counter means indicates 
that the memory means already contains said predetermined 

35 maximum number of stored registration codes or not, 
respectively . 
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9. Copy management apparatus according to any of claims 6. to 
8 wherein the encryption key is selected from a predetermined 
list of encryption keys stored in a memory means of the copy 
management apparatus . 

5 

10. Copy management apparatus according to any of claims 6 to 
8 wherein the encryption means includes encryption key 
generating means (29) for generating at least one encryption 
key. 

10 

11. Copy management apparatus according to any of claims 6 
to 10 wherein the decryption key is also the encryption key. 

12. Copy management apparatus according to any of claims 6 to 
15 10 wherein the decryption key is selected from a predetermined 

list of decryption keys stored in a memory means of the copy 
management apparatus . 

13 . Copy management apparatus according to any of claims 6 to 
20 10 wherein the encryption means (29) includes decryption key 

generating means for generating at least one decryption key. 

14. Copy management apparatus according to any of claims 6 to 
13 wherein the apparatus is implemented in an Application 

25 Specific Integrated Circuit (ASIC) . 

15. Copy management apparatus according to claim 14, wherein 
the ASIC is incorporated in the copying system (1) . 

30 16. Copy management apparatus according to claim 14, wherein 
the apparatus is provided as external hardware for connection 
between the copying system (1) and the second data storage 
means (3) . 

35 17. Copy management apparatus according to any of claims 14 
to 16 wherein the encryption means (26), including the 
encryption key, are held in an internal non-volatile memory 
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means provided in the ASIC , which internal non-volatile memory 
means is inaccessible to a user. 

18. Copy management apparatus according to any of claims 6 to 
5 17 wherein the clock means (30, 33), the monitoring means (27, 
35), the protection means (34, 72) and the memory means (28) 
for storing said registration codes are all inaccessible to a 
user . 

10 19. Copy management apparatus according to any of claims 6 to 
13 wherein the encryption means {26, 78), monitoring means 
(27, 35) and registration handler means (27) are implemented 
by processor means controlled by programming code held in a 
memory means of the copying system (1) . 

15 

20. A data copying and playback system incorporating copy 
management, the system comprising: 

copying means (1) for copying digital data from a first data 
storage means (22) accessible to the copying means in use 
20 thereof to at least one second data storage means (3) provided 
as part of the copying and playback system; 

at least one data player device (2) for playing back data 
stored on an associated said second data storage means (2), 
each said player device having a respective registration code 
25 (37) and a respective private key (42) stored in a first 
memory means (98) provided in the player device ; 
second memory means (28) associated with the copying means for 
storing up to a predetermined maximum number of said 
registration codes, each code being associated with a 
30 respective said player device; 

encryption means (26, 78) for encrypting data copied from the 
first data storage means, including an encryption key for use 
in carrying out the data encryption, and including encryption 
means for encrypting a decryption key provided in the copying 
35 means using each said registration code which is stored in the 
second memory means, in order to generate a respective 
encrypted decryption key for each said stored registration 
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code; 

clock means (30, 33) for measuring the passing of a finite 
predetermined period of time within which new registration 
codes are prevented from being written to the second memory 
5 means ; 

monitoring means (27, 35) for monitoring the number of 
registration codes stored in the second memory means (28) and 
starting said clock means when said monitoring means detects 
that the predetermined maximum number of codes have been 
10 stored; 

protection means (34, 72) for setting the second memory means 
in a protected mode, in which new registration codes are 
prevented from being stored therein, while said clock means 
measures the passing of said finite period of time; 

15 registration handler means (27) for receiving at. least one 
said registration code uploaded, directly or indirectly, from 
at least one said data player device, comparing said at least 
one uploaded registration code with the registration codes 
already stored in the second memory means, storing said at 

20 least one uploaded registration code in the second memory 

means if the second memory means does not already contain said 
at least one uploaded registration code and the memory means 
does not already contain said predetermined maximum number of 
registration codes, and preventing said uploaded registration 

25 code from being stored in the second memory means if the 
second memory means is set in said protected mode; and 
data transfer means (24, 80) for transferring the encrypted 
data to at least one said second data storage means (3) , 
together with each said encrypted decryption key; 

30 decryption means (36, 94) provided in each said player device 
(2) for decrypting the encrypted data transferred to said 
second data storage means, and including decryption means (94) 
for decrypting a said encrypted decryption key corresponding 
to the said player device, using the respective private key 

35 (42) for the said player device; 

digital to analogue converter means (38) for converting the 
decrypted digital data into an analogue data signal for a user 
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to playback; and 

playback means (96, 40) for playing the decrypted analogue 
data signal to a user. 

5 21. The data copying and playback system according to claim 
20, wherein the digital data copied from the first data 
storage means (22) is digital audio data and the decrypted 
analogue data signal is an audio signal. 

10 22. The data copying and playback system according to claim 
20 or claim 21, wherein the second data storage means 
comprises a removable solid state memory card (3) formed and 
arranged for interfacing with the player device (2) and with 
the copying means (1) . 

15 

23 . The data copying and playback system according to claim 
2 0 or claim 21, wherein the second data storage means 
comprises solid state memory means incorporated in the player 
device, and the player device is formed and arranged for 
20 interfacing to the copying system to enable the registration 
code stored in the first memory means (98) in the player 
device to be uploaded therefrom to the registration handler 
means (27) . 

25 24. The data copying and playback system according to claim 
23 wherein the first memory means is provided in the second 
data storage means in the player device. 

25. The data copying and playback system according to any of 
30 claims 20 to 24 wherein the decryption means (3 6, 94) and the 

D/A converter means (38) are provided in an ASIC incorporated 
in the player device (2) . 

26. The data copying and playback system according to any of 
35 claims 2 0 to 25 wherein each said data player device (2) whose 

registration code (37) is stored in said second memory means 
(28) is provided with identifier means for identifying the 
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said corresponding encrypted decryption key for the said data 
player device, from all of the encrypted decryption keys 
transferred to the second data storage means (3) . 
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